Stored Cross-Site Scripting in Jenkins Subversion Plugin by CloudBees
CVE-2022-29046

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Subversion Plugin
Vendor
CVE Published:
12 April 2022

Summary

The Jenkins Subversion Plugin versions up to 2.15.3 is susceptible to a stored cross-site scripting vulnerability due to inadequate escaping of the name and description fields for List Subversion tags. This weakness allows users with Item/Configure permissions to inject malicious scripts that can be executed in the context of other users accessing the view, potentially leading to unauthorized actions and data exfiltration.

Affected Version(s)

Jenkins Subversion Plugin <= 2.15.3

References

https://www.jenkins.io/security/advisory/2022-04-12/#SECU...
x_refsource_CONFIRM
https://support.apple.com/kb/HT213345
x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2022/Jul/18
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.